Burp Suite User Forum

Login to post

Allowing all hosts through SSL passthrough except one?

Jesse | Last updated: Jul 31, 2020 07:36PM UTC

Any way to allow all hosts through SSL passthrough except one, say "hostname"? I tried this Regex: ^((?!hostname).)*$ Now everything passes through, but also including "hostname". I want hostname to *not* passthrough. Thanks!

Uthman, PortSwigger Agent | Last updated: Aug 03, 2020 08:51AM UTC

Hi, Have you tried the below? ^(?!hostname).*$

Jesse | Last updated: Oct 15, 2020 12:52PM UTC

Hello, Sorry for the delayed response here. I just tried that, and it had the same effect. Say I put one ssl passthrough regex, ^(?!google).*$ -- Now if I type google.com into my browser, it will show up in the http history because the first time you type it in, it is not through SSL (just http://google.com appears). But if I then type in a search so the URL is now https://www.google.com/search?[whatever], this URL will not find its way into the http history, because it is being passed through SSL. With this one rule in place, the above behaviour now works with any hostname. So if I typed msn.com into the browser, it'd show up, but then any SSL traffic gets passed through. The goal is to have the site I'm testing (say, google.com) and *all* its SSL traffic be captured, while all the other sites are ignored. I hope I am making sense!

Uthman, PortSwigger Agent | Last updated: Oct 15, 2020 01:20PM UTC

Thanks for clarifying. Have you considered setting the Target > Scope at the beginning of the project? That should drop all out of scope traffic.

Jesse | Last updated: Oct 15, 2020 10:14PM UTC

Thanks for the fast reply!! Excited to potentially get this solved. Using Target>Scope removes out of scope traffic from the history, but does *not* allow them to pass through SSL. So now other apps on the device that require SSL passthrough do not function. The target scope looks perfect if I could somehow apply it to the SSL passthrough to say "pass through everything *except* this"

Hannah, PortSwigger Agent | Last updated: Oct 28, 2020 10:58AM UTC

Hi I'm really sorry for such a late reply. We've had some success using: ^(?!portswigger-labs\.net$) ^443$ when testing with portswigger-labs.net Could you give that a go with your target?

Jesse | Last updated: Oct 30, 2020 08:19PM UTC

Are you saying to put this in the TLS Passthrough? If so, this does not seem to work. Again, everything passes through (correct) including the hostname I specified (incorrect). Does that work for your team? You put in those settings into TLS passthrough and now https connections to portswigger-labs (and all subdirectories like portswigger-labs/directory/file.php?var=value) are captured by Burp suite?

Uthman, PortSwigger Agent | Last updated: Nov 03, 2020 01:04PM UTC

Yes. Can you try putting ^(?!portswigger-labs\.net$) into the 'Host or IP range' and ^443$ into the 'Port'? Or are you adding these as two separate entries? That should allow all HTTP and HTTPS traffic for portswigger-labs.net to show up in your HTTP history, whilst other sites will only show up if HTTP is used.

Jesse | Last updated: Nov 05, 2020 07:28PM UTC

Indeed that's exactly how I have used it with the port and range in the same entry in the TLS passthrough. Trying portswigger-labs.net seems to just give http traffic, but trying say portswigger.net as the hostname (or any other https site), no HTTPS traffic shows up in the http history, and I can tell the hostname I'm trying to exclude *is* being passed through TLS.

Uthman, PortSwigger Agent | Last updated: Nov 09, 2020 11:20AM UTC

Thanks a lot for your cooperation and patience. Can you please email us at support@portswigger.net with screenshots of what you have done so far? We may be able to send you a video with clearer instructions.

You need to Log in to post a reply. Or register here, for free.